ibizaman
diff --git a/‎flake.nix
+102 b/‎flake.nix
+102
diff --git a/‎modules/configuration.nix
+3-4 b/‎modules/configuration.nix
+3-4
diff --git a/‎modules/initialgen.nix
+18-11 b/‎modules/initialgen.nix
+18-11
diff --git a/‎modules/installonbeacon.nix
+132-59 b/‎modules/installonbeacon.nix
+132-59
diff --git a/‎template/configuration.nix
+6-2 b/‎template/configuration.nix
+6-2
@@ -73,6 +73,108 @@
           done
         '';
 
+        gen-sopsconfig-file = pkgs.writeShellScriptBin "gen-sopsconfig-file" ''
+          while getopts "hp:s:" o; do
+            case "''${o}" in
+              h)
+                usage
+                exit 0
+                ;;
+              p)
+                pubhostkey=''${OPTARG}
+                ;;
+              s)
+                sopskey=''${OPTARG}
+                ;;
+              *)
+                usage
+                exit 1
+                ;;
+            esac
+          done
+          shift $((OPTIND-1))
+
+          if [ -z "$sopskey" ]; then
+            echo "Please pass sops key with -k argument."
+            exit 1
+          fi
+
+          if [ -z "$pubhostkey" ]; then
+            echo "Please pass sops key with -o argument."
+            exit 1
+          fi
+
+          me_age_key="$(${pkgs.age}/bin/age-keygen -y $sopskey)"
+          host_age_key="$(cat $pubhostkey | ${pkgs.ssh-to-age}/bin/ssh-to-age)"
+
+          cat <<SOPS > .sops.yaml
+          keys:
+            # To obtain the age key for &me, run:
+            #   nix shell .#age --command age-keygen -y $sopskey
+            - &me $me_age_key
+            # To obtain the age key for &server, run:
+            #   nix shell .#age --command age-keygen -y $pubhostkey
+            - &server $host_age_key
+          creation_rules:
+            - path_regex: secrets\.yaml$
+              key_groups:
+              - age:
+                - *me
+                - *server
+          SOPS
+        '';
+
+        sops = pkgs.writeShellScriptBin "edit-secrets" ''
+          while getopts ":hs:" o; do
+            case "''${o}" in
+              h)
+                usage
+                exit 0
+                ;;
+              s)
+                sopskey=''${OPTARG}
+                ;;
+              *)
+                ;;
+            esac
+          done
+          shift $((OPTIND-1))
+
+          export SOPS_AGE_KEY_FILE=$sopskey
+          ${pkgs.sops}/bin/sops $*
+        '';
+
+        sops-yq-edit = pkgs.writeShellScriptBin "edit-secrets" ''
+          while getopts ":hf:s:t:" o; do
+            case "''${o}" in
+              h)
+                usage
+                exit 0
+                ;;
+              f)
+                file=''${OPTARG}
+                ;;
+              s)
+                sopskey=''${OPTARG}
+                ;;
+              t)
+                transformation=''${OPTARG}
+                ;;
+              *)
+                ;;
+            esac
+          done
+          shift $((OPTIND-1))
+
+          set -euo pipefail
+
+          export SOPS_AGE_KEY_FILE="$sopskey"
+          ${pkgs.sops}/bin/sops encrypt --filename-override "$file" --output "$file.dup" <( \
+            ${pkgs.sops}/bin/sops decrypt "$file" \
+              | ${pkgs.yq-go}/bin/yq "$transformation"
+          ) \
+          && mv "$file.dup" "$file"
+        '';
 
         # Install a nixosConfigurations instance (<flake>) on a server.
         #
 
@@ -18,10 +18,9 @@ in
       description = "Name given to the admin user on the server.";
     };
 
-    initialHashedPassword = mkOption {
+    hashedPasswordFile = mkOption {
       type = types.str;
-      default = "$y$j9T$7EZvmryvlpTHSRG7dC5IU1$lBc/nePnkvqZ//jNpx/UpFKze/p6P7AIhJubK/Ghj68";
-      description = "Initial password for the admin user. Can be changed later. Default is 'skarabox123'.";
+      description = "Contains password for the admin user.";
     };
 
     facter-config = lib.mkOption {
@@ -110,7 +109,7 @@ in
     users.users.${cfg.username} = {
       isNormalUser = true;
       extraGroups = [ "wheel" ];
-      inherit (cfg) initialHashedPassword;
+      inherit (cfg) hashedPasswordFile;
       openssh.authorizedKeys.keyFiles = [ cfg.sshAuthorizedKeyFile ];
     };
 
 
@@ -93,25 +93,32 @@ USAGE
     e "Generating server host key in ./host_key and ./host_key.pub..."
     rm host_key && ${nix} shell ${../.}#openssh --command ssh-keygen -t ed25519 -N "" -f host_key && chmod 600 host_key
 
+    e "Generating sops key ./sops.key..."
+    rm sops.key && ${nix} shell ${../.}#age --command age-keygen -o sops.key
+    e "Generating sops config ./.sops.yaml..."
+    ${nix} run ${../.}#gen-sopsconfig-file -- -s sops.key -p host_key.pub
+
+    e "Generating sops secrets file ./secrets.yaml..."
+    touch secrets.yaml
+    ${nix} run ${../.}#sops -- -s sops.key encrypt -i secrets.yaml
+
     e "Generating ssh key in ./ssh_skarabox and ./ssh_skarabox.pub..."
     rm ssh_skarabox && ${nix} shell ${../.}#openssh --command ssh-keygen -t ed25519 -N "" -f ssh_skarabox && chmod 600 ssh_skarabox
 
-    e "Generating initial password for user in ./initialHashedPassword..."
-    ${nix} run ${../.}#mkpasswd -- $mkpasswdargs > initialHashedPassword
+    e "Generating initial password for user in secrets.yaml under user/hashedPassword"
+    ${nix} run ${../.}#sops-yq-edit -- -s sops.key -f secrets.yaml \
+      -t ".user.hashedPassword = \"$(${nix} run ${../.}#mkpasswd -- $mkpasswdargs)\""
 
     e "Generating hostid in ./hostid..."
     ${nix} shell ${../.}#util-linux --command uuidgen | head -c 8 > hostid
 
-    e "Generating root pool passphrase in ./root_passphrase..."
-    chmod 600 root_passphrase
-    ${nix} run ${../.}#openssl -- rand -hex 64 > root_passphrase
+    e "Generating root pool passphrase in secrets.yaml under skarabox/disks/rootPassphrase"
+    ${nix} run ${../.}#sops-yq-edit -- -s sops.key -f secrets.yaml \
+      -t ".skarabox.disks.rootPassphrase = \"$(${nix} run ${../.}#openssl -- rand -hex 64)\""
 
-    e "Generating data pool passphrase in ./data_passphrase..."
-    chmod 600 data_passphrase
-    ${nix} run ${../.}#openssl -- rand -hex 64 > data_passphrase
-
-    e "Generating sops key ./sops.key..."
-    rm sops.key && ${nix} shell ${../.}#age --command age-keygen -o sops.key
+    e "Generating data pool passphrase in secrets.yaml under skarabox/disks/dataPassphrase"
+    ${nix} run ${../.}#sops-yq-edit -- -s sops.key -f secrets.yaml \
+      -t ".skarabox.disks.dataPassphrase = \"$(${nix} run ${../.}#openssl -- rand -hex 64)\""
 
     e "You will need to fill out the ./ip, ./known_hosts and ./system file"
     e "and adjust the ssh_port and ssh_boot_port if you want to."
 
@@ -1,60 +1,133 @@
 { pkgs, nixos-anywhere }:
-pkgs.writeShellScriptBin "install-on-beacon" ''
-  usage () {
-    cat <<USAGE
-Usage: $0 -i IP -p PORT -f FLAKE -k HOST_KEY -r ROOT_PASSPHRASE_FILE -d DATA_PASSPHRASE_FILE [-a EXTRA_OPTS]
-
-  -h:                       Shows this usage
-  -i IP:                    IP of the target host running the beacon.
-  -p PORT:                  Port of the target host running the beacon.
-  -f FLAKE:                 Flake to install on the target host.
-  -k HOST_KEY_FILE:         SSH key to use as the host identification key.
-  -r ROOT_PASSPHRASE_FILE:  File containing the root passphrase used to encrypt the root ZFS pool.
-  -d DATA_PASSPHRASE_FILE:  File containing the data passphrase used to encrypt the data ZFS pool.
-  -a EXTRA_OPTS:            Extra options to pass verbatim to nixos-anywhere.
-USAGE
-  }
-  while getopts "hi:p:f:k:r:d:a:" o; do
-    case "''${o}" in
-      h)
-        usage
-        exit 0
-        ;;
-      i)
-        ip=''${OPTARG}
-        ;;
-      p)
-        port=''${OPTARG}
-        ;;
-      f)
-        flake=''${OPTARG}
-        ;;
-      k)
-        host_key_file=''${OPTARG}
-        ;;
-      r)
-        root_passphrase_file=''${OPTARG}
-        ;;
-      d)
-        data_passphrase_file=''${OPTARG}
-        ;;
-      a)
-        extra_opts=''${OPTARG}
-        ;;
-      *)
-        usage
-        exit 1
-        ;;
-    esac
-  done
-  shift $((OPTIND-1))
-
-  ${nixos-anywhere}/bin/nixos-anywhere \
-    --flake $flake \
-    --disk-encryption-keys /tmp/host_key $host_key_file \
-    --disk-encryption-keys /tmp/root_passphrase $root_passphrase_file \
-    --disk-encryption-keys /tmp/data_passphrase $data_passphrase_file \
-    --ssh-port $port \
-    skarabox@$ip \
-    $extra_opts
-''
+let
+  # We use a separate script here because sops run script
+  # with /bin/sh and this way we can override the shell easily.
+  #
+  # Other methods of doing that exist but this way also helps with
+  # making escaping variables easier. And it runs shellcheck.
+  innerScript = pkgs.writeShellApplication {
+    name = "install-on-beacon";
+
+    runtimeInputs = [
+      pkgs.yq
+    ];
+
+    text = ''
+      fd="$1"
+      ip="$2"
+      port="$3"
+      flake="$4"
+      host_key_file="$5"
+      root_passphrase_path="$6"
+      data_passphrase_path="$7"
+      extra_opts="$8"
+
+      # We read the fd once and store it because
+      # we can't read it twice.
+      secrets="$(cat "$fd")"
+      root_passphrase=$(echo "$secrets" | yq -r "$root_passphrase_path")
+      data_passphrase=$(echo "$secrets" | yq -r "$data_passphrase_path")
+
+      nixos-anywhere \
+        --flake "$flake" \
+        --disk-encryption-keys /tmp/host_key "$host_key_file" \
+        --disk-encryption-keys /tmp/root_passphrase <(echo "$root_passphrase") \
+        --disk-encryption-keys /tmp/data_passphrase <(echo "$data_passphrase") \
+        --ssh-port "$port" \
+        skarabox@"$ip" \
+        "$extra_opts"
+    '';
+  };
+in
+pkgs.writeShellApplication {
+  name = "install-on-beacon";
+
+  runtimeInputs = [
+    nixos-anywhere
+    pkgs.bash
+    pkgs.sops
+    pkgs.yq
+  ];
+
+  text = ''
+    usage () {
+      cat <<USAGE
+    Usage: $0 -i IP -p PORT -f FLAKE -k HOST_KEY -r ROOT_PASSPHRASE_FILE -d DATA_PASSPHRASE_FILE [-a EXTRA_OPTS]
+
+      -h:                       Shows this usage
+      -i IP:                    IP of the target host running the beacon.
+      -p PORT:                  Port of the target host running the beacon.
+      -f FLAKE:                 Flake to install on the target host.
+      -k HOST_KEY_FILE:         SSH key to use as the host identification key.
+      -r ROOT_PASSPHRASE_PATH:  Path in the yaml secrets file for the root passphrase used to encrypt the root ZFS pool.
+      -d DATA_PASSPHRASE_PATH:  Path in the yaml secrets file for the data passphrase used to encrypt the root ZFS pool.
+      -s SOPS_KEY:              File containing a sops key capable of decrypting the secrets.
+      -a EXTRA_OPTS:            Extra options to pass verbatim to nixos-anywhere.
+    USAGE
+    }
+
+    check_empty () {
+      if [ -z "$1" ]; then
+        echo "$3 must not be empty, pass with flag $2"
+      fi
+    }
+
+    while getopts "hi:p:f:k:r:d:s:a:" o; do
+      case "''${o}" in
+        h)
+          usage
+          exit 0
+          ;;
+        i)
+          ip=''${OPTARG}
+          ;;
+        p)
+          port=''${OPTARG}
+          ;;
+        f)
+          flake=''${OPTARG}
+          ;;
+        k)
+          host_key_file=''${OPTARG}
+          ;;
+        r)
+          root_passphrase_path=''${OPTARG}
+          ;;
+        d)
+          data_passphrase_path=''${OPTARG}
+          ;;
+        s)
+          sopskey=''${OPTARG}
+          ;;
+        a)
+          extra_opts=''${OPTARG}
+          ;;
+        *)
+          usage
+          exit 1
+          ;;
+      esac
+    done
+    shift $((OPTIND-1))
+
+    check_empty "$ip" -i ip
+    check_empty "$port" -p port
+    check_empty "$flake" -f flake
+    check_empty "$host_key_file" -k host_key_file
+    check_empty "$root_passphrase_path" -r root_passphrase_path
+    check_empty "$data_passphrase_path" -d data_passphrase_path
+    check_empty "$sopskey" -s sopskey
+
+    SOPS_AGE_KEY_FILE=$sopskey sops exec-file secrets.yaml "
+      bash \
+      ${innerScript}/bin/install-on-beacon {} \
+      $ip \
+      $port \
+      $flake \
+      $host_key_file \
+      $root_passphrase_path \
+      $data_passphrase_path \
+      $extra_opts
+    "
+  '';
+}
@@ -3,7 +3,7 @@
 # More info at:
 # - https://wiki.nixos.org/wiki/NixOS_modules
 # - https://nixos.org/manual/nixos/stable/#sec-writing-modules
-{ lib, ... }:
+{ lib, config, ... }:
 let
   inherit (lib) mkMerge;
 in
@@ -19,7 +19,7 @@ in
     {
       skarabox.hostname = "skarabox";
       skarabox.username = "skarabox";
-      skarabox.initialHashedPassword = lib.trim (builtins.readFile ./initialHashedPassword);
+      skarabox.hashedPasswordFile = config.sops.secrets."user/hashedPassword".path;
       skarabox.facter-config = ./facter.json;
       skarabox.disks.rootDisk = "/dev/nvme0n1";  # Update with result of running `fdisk -l` on the USB stick.
       skarabox.disks.rootDisk2 = null;  # Set a value only if you have a second disk for the root partition.
@@ -52,6 +52,10 @@ in
       sops.age = {
         sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
       };
+
+      sops.secrets."user/hashedPassword" = {};
+      sops.secrets."skarabox/disks/rootPassphrase" = {};
+      sops.secrets."skarabox/disks/dataPassphrase" = {};
     }
     # Your config
     {